Next story in Security

Video: Data brokers grilled

WASHINGTON — Only a day after disclosing a massive security breach involving 300,000 consumers, LexisNexis found itself under an uncomfortable congressional microscope Wednesday.

Senators peppered the commercial data broker and two of its rivals, ChoicePoint and Acxiom, with questions about recent breaches at several institutions that have seen consumers' personal data exposed or stolen, putting them at risk of identity theft.

"My conclusion is we need federal legislation," said Sen. Arlen Specter, who presided over the Judiciary Committee hearing on Capitol Hill.

Pressure has been building for some kind of regulation of the industry in the wake of ChoicePoint's
disclosure two months ago
that criminals had stolen data on 145,000 U.S. citizens. News of several other high-profile data leaks followed, including a March announcement from LexisNexis that data on 30,000 consumers had been pilfered. LexisNexis revised that announcement Tuesday, revealing an additional 280,000 consumers may have been affected by that theft.

"We sincerely regret this," said LexisNexis president Kurt Sanford. A just-concluded investigation revealed there were 59 separate incidents at the firm's newly acquired Seisint division dating back to 2003, he said. In each case, a thief stole the login information belonging to a legitimate Seisint customer and downloaded consumer Social Security numbers and other personal information.

In some cases, the legitimate customer used ineffective passwords, he said. In other cases, a Trojan horse program or computer virus was used to steal login information. The firm has since tightened its security procedures, Sanford said, forcing customers to change their passwords every 90 days.

But that wasn't enough to satisfy members of the Senate committee, who seemed intent on passing some federal law to stem the tide of data thefts.

"You can be sure there will be firm federal legislation coming about this issue," said Specter, R-Pa.

The incident revealed how easily private information is stolen, said Sen. Patrick Leahy, D-Vt. "These were relatively unsophisticated scams," he said, criticizing the data industry for not doing a better job of protecting the private information. "This hearing is about shining a light on those practices."

Sens. Chuck Schumer, D-N.Y., and Bill Nelson, R-Fla., added to the growing pile of legislative proposals by announcing before the hearing a new bill that would give the Federal Trade Commission an additional $60 million to fight identity theft.

"We have got to get our arms around this issue, otherwise, Americans won't have any privacy left," Nelson said.

Much of the discussion at the crowded hearing focused on California's data theft disclosure law, and proposals to extend that law nationwide. Passed in 2003, the law requires companies to tell California residents if their personal information has been stolen by a criminal or exposed by a computer hacker. It is the only such state to have such a law.

Sen. Dianne Feinstein, D-Calif., who has proposed a nationwide disclosure law, said consumers would still be in the dark about break-ins at ChoicePoint and LexisNexis if not for the California law. She pointedly asked executives of both firms if they had suffered break-ins prior to 2003 and not told consumers. Both LexisNexis President Kurt Sanford and ChoicePoint President Douglas Curling said they had kept such incidents from consumers.

"This is my point," said Feinstein. "If it weren't for the California law, we would have no way of knowing about (data thefts), no way to pierce the depths of what has happened in this industry."

Sanford, Curling, and Axciom chief privacy officer Jennifer Barrett all agreed to support notification rules, but urged lawmakers to adopt a policy recommended by the Federal Trade Commission that would limit mandated disclosure to incidents where there is a "significant risk" of identity theft to consumers.

"We are grappling with the issue of over-notification," said FTC chief Deborah Platt Majoras. "We have learned that consumers become numb to too many notifications."

She suggested that consumers need not be notified in some situations — for example, if a computer hacker accesses data, but is quickly apprehended and shows no signs of using the data for identity theft.

Feinstein pressed her on the issue. "How can you define significant risk?" she said.

The three data broker executives all defended their industry, saying their databases help law enforcement agencies hunt down criminals and marketers target their products. Curling and Barrett also said they had added additional security procedures in light of recent incidents.

"We have a tightrope to walk here," Schumer said, acknowledging the federal government's use of the private database firms.